CVE-2026-42349
Clerk: Authorization bypass when combining organization, billing, or reverification checks
Clerk JavaScript is the official JavaScript repository for Clerk authentication. has(), auth.protect(), and related authorization predicates in @clerk/shared, @clerk/nextjs, @clerk/backend, and other framework SDKs can return true for certain combined authorization checks when the result should be false, allowing a gated action to proceed for a user who does not satisfy the full set of requested conditions. This call shape can be bypassed if certain conditions are met: a has() or auth.protect() call that combines a reverification check with any of role, permission, feature, or plan, or that combines a billing check (feature or plan) with a role or permission check. This vulnerability is fixed in @clerk/clerk-js 5.125.10 and 6.7.5.
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
Produtos afetados
@clerk · astro@clerk · backend@clerk · chrome-extension@clerk · clerk-expo@clerk · clerk-react@clerk · expo@clerk · express@clerk · fastify@clerk · hono@clerk · nextjs@clerk · nuxt@clerk · react@clerk · react-router@clerk · shared@clerk · tanstack-react-start@clerk · vueclerk · javascriptQuer saber se a sua infraestrutura está exposta a isto?
Falar com a TrueHacking →